Tag Archives: IPv6

FortiGate Enables NAT for IPv6 by Default 🤦

Fortinet, IPv6, , , , , , ,

Fortinet has a misstep in its IPv6 settings: NAT66 is enabled by default for every policy. Not only does this make no technical sense and go against established best practices, but in my view, there’s an even bigger issue at play here:

Given the widespread use of FortiGate devices and the still limited level of IPv6 expertise among many administrators, this default setting risks creating false knowledge. Many admins may come away believing that NAT for IPv6 is just as normal as it is for IPv4 – after all, it’s enabled out of the box. And as with any default, people will quickly get used to it.

In this blog post, I’ll therefore look at a few practical workarounds to move away from this approach as quickly as possible.

Continue reading FortiGate Enables NAT for IPv6 by Default 🤦

Basic IPv6 Messages (v2): Wireshark Captures

IPv6, Memorandum, , , , , , , , , , ,

In my IPv6 classes, I always teach the basic IPv6 messages as seen on the wire. There’s so much new stuff, such as Router Advertisements, Duplicate Address Detections, Neighbour Solicitations, and so on. Therefore, I’m using a rather simple packet capture showing the starting process of a client getting its addresses.

For the last 10 years, I used this capture, which I took on a Knoppix Linux along with a German Speedport router, in which SLAAC was used for getting the addresses. However, it turned out that in enterprise-grade networks, stateful DHCPv6 is used more commonly. Hence, I did it again and captured the very first IPv6 messages as seen on an IPv6 node, but this time on a Windows 11 PC and a Debian 13, along with stateful DHCPv6.

Continue reading Basic IPv6 Messages (v2): Wireshark Captures

Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite

Bandwidth/Delay, Fortinet, , , , ,

After years of customers confusing Fortinet with Fortnite, the two companies finally decided to lean into the chaos. The result: FortiNite — a joint innovation designed to deliver “next‑gen latency acceleration” for Fortnite players worldwide, a groundbreaking collaboration with Epic Games’ Fortnite.

Continue reading Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite

Protocol Independent Multicast (PIM) Capture

Routing, , , , , , , , , , ,

You never stop learning. One topic that hadn’t crossed my path in the past decade is: Multicast. Whew. Alongside all the technical literature, online presentations, and various blog posts, I decided to approach it the classic way – through packet captures. ;)

So here’s a new part of the #UltimatePCAP, which contains quite a bit of PIM traffic, including Hello, Join/Prune, Register (via unicast!), and more. Of course, for IPv6 and legacy IP (IPv4). Let’s have a look:

Continue reading Protocol Independent Multicast (PIM) Capture

OSPFv3 Authentication on a Palo Alto (Logical Router)

Authentication, IPv6, Palo Alto Networks, Routing, , , , , ,

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Continue reading OSPFv3 Authentication on a Palo Alto (Logical Router)

Bad IPv6 Approaches

IPv6, , , , , , , , , , ,

I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?

Let’s dig into some misconceptions concerning IPv6:

Continue reading Bad IPv6 Approaches

Path MTU Discovery

ICMP/ICMPv6, Internet Access, Routing, , , , , , ,

One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. 👍🏻

Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.

Continue reading Path MTU Discovery

DHCPv6 Prefix Delegation on a FortiGate Firewall

DHCP/DHCPv6, Fortinet, IPv6, , , , , , ,

I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! âś… Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:

Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall

Joining an Active Directory: A Packet Capture

Network, Windows, , , , , , , , , , ,

What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)

Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.

Continue reading Joining an Active Directory: A Packet Capture

PANW: Dynamic Routing between Logical Routers

Palo Alto Networks, Routing, , , , , ,

How to route traffic between multiple logical routers aka Inter-LR Routing on a Palo Alto Networks Strata firewall? More precisely, inclusive route redistribution rather than a few static routes. –> Via iBGP through loopback interfaces. âś… Let’s go:

Continue reading PANW: Dynamic Routing between Logical Routers

BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

Palo Alto Networks, Routing, , , , , ,

With PAN-OS 10.2, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR).

The Advanced Routing Engine simplifies operations with a standards-based configuration, which reduces your learning curve since it is similar to that of other router vendors.

The neat thing, as always: You can configure everything through the GUI. Here’s a basic example of how I’m using a prefix list to filter incoming BGP routes:

Continue reading BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

Dynamic DNS on a Palo

DNS/DNSSEC, Internet Access, Palo Alto Networks, , , , ,

With PAN-OS 9.0 (quite some time ago), Palo Alto Networks has added Dynamic DNS for a firewall’s interfaces. That is: If your Internet-facing WAN interface gets a dynamic IP address via DHCP or PPPoE (rather than statically configured), the firewall updates this IP address to a configured hostname. The well-known DynDNS providers such as Dyn (formerly DynDNS), No-IP, or FreeDNS Afraid are supported. Since the Palo supports DHCP, PPPoE (even on tagged subinterfaces) as well as DHCPv6 respectively PPPoEv6, we can now operate this type of firewall on residential ISP connections AND still access it via DNS hostnames. Great. Let’s have a look at the configuration steps.

Spoiler: The DynDNS feature on a Palo only supports static IPv6 addresses rather than dynamic ones. 🤦🤦🤦 Yes, you haven’t misread. The DYNAMIC DNS feature does not support DYNAMIC IP addresses, but only STATIC ones. D’oh!

Continue reading Dynamic DNS on a Palo

Palo’s Mgmt-Intf is not usable with IPv6 anymore

IPv6, Palo Alto Networks, , ,

Wow, that was unexpected: With PAN-OS 11.1 the out-of-band management interface of Palo Alto Networks firewalls doesn’t accept an IPv6 default route pointing to one of its own data interfaces anymore. That is: In most setups, you can’t use IPv6 for management purposes anymore. “Works as expected.” Wow. Really?

Continue reading Palo’s Mgmt-Intf is not usable with IPv6 anymore

Optimized NAT46 Config on a FortiGate

Fortinet, Internet Access, IPv6, NAT, Tutorial/Howto, , , , ,

Johannes published a basic NAT46 configuration for a Fortigate firewall with FortiOS 7.0 some time ago. I run such a service (legacy IPv4 access to IPv6-only resources) since FortiOS 5.6, which means more than six years; lastly with FortiOS 6.4. It’s running for more than 100 servers without any other problems as we see them with IPv4 only or dual stack services.

But we weren’t happy with the basic configuration example by Fortinet. We wanted some NAT46 sample configuration with more details, that is: including the original source IPv4 address within the synthesized/SNATted IPv6 address. More in this post, after a short story about my way to a running nat46 configuration with port forwarding in FortiOS 7.2.x.

Continue reading Optimized NAT46 Config on a FortiGate

DHCPv6 Prefix Delegation on Palo Alto’s NGFW

DHCP/DHCPv6, IPv6, Palo Alto Networks, , , , ,

Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the IPv6-Internet that is) on many kinds of ISP connections. Remember: To get a routed IPv6 prefix requires DHCPv6-PD (if you’re not a BGP-homed enterprise). Hence, without that feature, we could not connect to the Internet with a Palo directly.

With DHCPv6-PD, the firewall can receive a prefix from the ISP (commonly a /48 or a /56), while handing out /64s to downstream layer 3 interfaces. Here we go:

Continue reading DHCPv6 Prefix Delegation on Palo Alto’s NGFW